PDA

View Full Version : Some SMT clients show up to date when they shouldn't



sysengPS
09-Sep-2013, 21:42
I have a SLES11, sp2 environment, and none of the machines are able to get outside the network. There's incoming data for their webapp, but otherwise they are locked down.
I need to be able to patch them, so I've installed SMT on a Suse box on another VLAN, and setup rules so it can talk to the VLANs that the other machines live in. And this works, to an extent.
I'm able to register the individual VMs with the SMT box, but am unable to get the SMT added on them. I don't have the SMT server in my dns, so I add the server to my hosts file. My steps are:
1. Add SMT server to host file using
echo 192.168.x.x pcipfesmt.x.com pcipfesmt >> /etc/hosts
2. Download clientSetup4SMT.sh to client box & make it executable
wget -O /tmp/clientSetup4SMT.sh https://pcipfesmt.x.com/repo/tools/clientSetup4SMT.sh && chmod +x clientSetup4SMT.sh
3. run clientSetup4SMT.sh
./clientsetup4SMT.sh --host pcipfesmt.x.com
The registration here usually fails, during refreshing service 'SMT_http_pcipfesmt_x_com'. It says "Download (curl) error for 'http://pcipfesmt.x.com//repo/repoindex.xml?credentials=NCCcredentials':
Error code: Connection failed
Error message: couldn't connect to host"
Retrying doesn't work, of course, so I abort, am told to file a bug report, am also told that registration was successful, and am taken back to the prompt. The registration shows up on the smt-server, and patch status shows up as unknown or up-to-date. None of the mirrored repositories are added to the client.

I would say that this could be network related, however I'm able to connect to the box from the client to download the cert. Can anyone offer any help?

Thanks

sysengPS
09-Sep-2013, 22:40
I can't figure out how to edit my original post, but I wanted to add that I'm using new zypp NCCcredentials when I register each box.
rm /etc/zypp/credentials.d/NCCcredentials
rm /var/cache/SuseRegister/lastzmdconfig.cache
Which has allowed me to register cloned machines with NCC in the past.

jmozdzen
09-Sep-2013, 22:56
Hi sysengPS,

anything in the logs? Please check both ~root and /var/log (esp. smtclient.log and zypper.log) and if nothing catches the eye, I'd run clientSetup4SMT.sh with "-x" to get some info where curl is invoked and what it's trying to do.

Regards,
Jens

Stevo
09-Sep-2013, 23:56
sysengPS sounds like they 'said':

> I would say that this could be network related, however I'm able to
> connect to the box from the client to download the cert. Can anyone
> offer any help?
>
So my response to sysengPS's comment is...

You try running the command setting https for your SMT box?

../clientSetup4SMT.sh https://pcipesmt.x.com ?

That's how I registered my sles servers with my SMT box, but I do have
my SMT box in my local dns.

--
Stevo

sysengPS
10-Sep-2013, 00:35
This is the latest entry in smtclient.log
2013-09-09 18:05:01: () ERROR: Unable to request next job: 401 Authorization Required-<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Authentication required!</title> <link rev="made" href="mailto:root@PCIPFESMT" /> <style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]]>*/--></style> </head> <body> <h1>Authentication required!</h1> <p> This server could not verify that you are authorized to access the URL "/=/1/jobs/@next". You either supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. </p> <p> In case you are allowed to request the document, please check your user-id and password and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:root@PCIPFESMT">webmaster</a>. </p> <h2>Error 401</h2> <address> <a href="/">pcipfesmt.x.com</a><br /> <span>Mon Sep 9 18:04:58 2013<br /> Apache/2.2.12 (Linux/SUSE)</span> </address> </body> </html>

suse_register has the following as it's latest entry:

2013-09-06 14:00:14 SUSE::SRPrivate - [info] <zmdconfig xmlns="http://www.novell.com/xml/center/regsvc-1_0" lang="en"><guid>1b51804f79a84677be79b4058e5a02f9</guid><service id="SMT-pcipfesmt_x_xom" description="Local NU Server" type="nu"><param id="url">http://pcipfesmt.x.com/</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP1-VMware-Pool/sle-11-x86_64">SLES11-SP1-VMware-Pool</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP1-VMware-Updates/sle-11-x86_64">SLES11-SP1-VMware-Updates</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP2-VMware-Updates/sle-11-x86_64">SLES11-SP2-VMware-Updates</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP2-VMware-Core/sle-11-x86_64">SLES11-SP2-VMware-Core</param><param name="catalog" url="http://pcipfesmt.x.com/repo/$RCE/SLES11-SP2-Extension-Store/sle-11-x86_64">SLES11-SP2-Extension-Store</param></service><status generated="1378490412"><productstatus product="SLES-for-VMware" version="11.2" release="" arch="" result="success" errorcode="OK"><message>Ok.</message></productstatus></status></zmdconfig>

I'm probably missing something obvious here, but :(.

./clientSetup4SMT.sh -x
Unknown option -x

sysengPS
10-Sep-2013, 01:06
./clientSetup4SMT.sh https://pcipfesmt.x.com

I get the cert and accept it. I start the registration process, and same error.

jmozdzen
10-Sep-2013, 11:39
Hi sysengPS,

This is the latest entry in smtclient.log
2013-09-09 18:05:01: () ERROR: Unable to request next job: 401 Authorization Required-<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Authentication required!</title> <link rev="made" href="mailto:root@PCIPFESMT" /> <style type="text/css"><!--/*--><=!=[=C=D=A=T=A=[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]=]=>*/--></style> </head> <body> <h1>Authentication required!</h1> <p> This server could not verify that you are authorized to access the URL "/=/1/jobs/@next". You either supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. </p> <p> In case you are allowed to request the document, please check your user-id and password and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:root@PCIPFESMT">webmaster</a>. </p> <h2>Error 401</h2> <address> <a href="/">pcipfesmt.x.com</a><br /> <span>Mon Sep 9 18:04:58 2013<br /> Apache/2.2.12 (Linux/SUSE)</span> </address> </body> </html>

So for some reason, your SMT server is rejecting the credentials that are presented by the client. Maybe more details (and even if it's "wrong credentials", as opposed to "configuration problem at the server" or "database down" or alike) can be found in the server's Apache logs.


./clientSetup4SMT.sh -x
Unknown option -x

While it doesn't currently seem important in your specific case, I meant to set the shell's tracing feature - so either "set -x;./clientSetup4SMT.sh;set +x" or more easy "bash -x ./clientSetup4SMT.sh"

With regards,
Jens

sysengPS
10-Sep-2013, 14:19
This is on a different client:


set -x;./clientSetup4SMT.sh --host pcipfesmt.X.com;set +x
+ ./clientSetup4SMT.sh --host pcipfesmt.X.com
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a5:2e:6d:d2:cb:ff:b9:bc
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=YaST_Default_CA/emailAddress=syseng@X.com
Validity
Not Before: Sep 6 15:16:46 2013 GMT
Not After : Sep 4 15:16:46 2023 GMT
Subject: C=US, CN=YaST_Default_CA/emailAddress=syseng@X.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cb:f8:02:5d:46:c0:86:f3:4b:f6:3c:f5:64:d6:
28:d7:e1:ec:6e:10:b1:dd:eb:95:ed:d3:40:80:96:
ed:e9:ad:b8:1e:94:8d:cd:c7:a1:3e:6b:32:6d:a2:
2e:bb:1b:6e:b5:9c:83:6a:5f:8c:89:2c:a2:0e:cd:
6d:b7:fe:c7:02:6e:a7:de:61:ac:d2:ef:5e:ef:84:
af:24:67:77:3f:e3:96:3c:a3:e9:b5:09:a8:b1:9d:
84:bf:ac:e1:61:9b:fa:d0:80:21:e2:e7:5e:41:ac:
26:e8:c3:d4:bf:43:ac:00:80:d1:47:dd:46:ed:e6:
a4:ce:6c:92:8f:ee:82:26:6b:24:23:05:24:39:58:
ca:40:6f:18:68:88:76:c5:29:20:09:c7:e1:00:40:
50:d8:8a:14:88:37:31:66:ae:2c:80:07:22:d6:b8:
67:a3:80:42:d6:02:88:7e:be:bd:e3:7d:54:c8:cd:
3c:9d:8f:90:02:37:18:65:a6:8d:bc:61:e5:dc:f9:
e2:22:15:82:e7:1f:fe:b9:8e:a3:d8:d0:65:7e:1b:
00:e5:c6:62:7d:3b:04:0c:ed:cd:a4:56:fb:c2:27:
0f:bd:fd:db:7b:c3:91:ac:69:80:66:bf:4f:97:ab:
bd:c4:3a:7b:7e:71:b6:0a:b8:90:37:ee:82:c9:ec:
76:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
YaST Generated CA Certificate
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
6E:F0:89:5F:6A:D6:BD:0B:55:30:3E:FE:A3:98:BE:01:D7 :F4:A2:95
X509v3 Authority Key Identifier:
keyid:6E:F0:89:5F:6A:D6:BD:0B:55:30:3E:FE:A3:98:BE :01:D7:F4:A2:95
DirName:/C=US/CN=YaST_Default_CA/emailAddress=syseng@X.com
serial:A5:2E:6D:D2:CB:FF:B9:BC

X509v3 Subject Alternative Name:
email:syseng@X.com, IP Address:192.168.193.35
X509v3 Issuer Alternative Name:
email:syseng@X.com, IP Address:192.168.193.35
Signature Algorithm: sha1WithRSAEncryption
40:bf:f7:e3:ca:2a:85:ad:68:da:7e:0d:04:3a:14:db:8b :5a:
d9:fb:b9:25:21:e8:dc:39:5d:77:6f:36:c0:3a:46:f5:f9 :a4:
59:8e:05:bb:e3:6b:99:2b:56:e6:82:8a:da:70:16:1c:3e :e6:
09:c2:30:e2:8c:05:69:4b:9e:e1:93:0b:e1:1a:47:14:72 :85:
23:2f:cb:69:8b:f1:6a:29:3f:5d:c9:ae:37:c0:7f:b6:c1 :37:
6b:32:ba:26:27:7e:fe:c8:ee:37:e6:a3:86:46:07:af:7b :f1:
3f:62:c0:78:7a:cd:36:59:02:f0:87:06:1d:8f:ed:1b:02 :a0:
e3:4e:dd:a8:a9:ef:62:17:04:b7:51:50:e4:63:eb:eb:32 :8d:
3f:97:17:28:5c:45:8d:73:ed:c5:45:1a:e6:3a:6e:69:0f :6b:
5d:84:2d:57:ec:87:88:a5:7b:8a:1e:94:c1:12:77:bb:46 :aa:
f9:49:d7:7d:e2:22:b2:02:68:b9:ac:0b:b9:c9:c1:f8:e3 :b4:
27:5f:a5:c9:cc:56:ce:87:eb:dd:36:b4:2b:97:ab:18:a9 :32:
22:fc:a1:9c:11:7e:8b:f6:f3:81:48:8d:2e:fa:6a:51:4a :5d:
c3:2f:90:ac:6d:1a:1b:68:a0:e5:d9:c6:44:a1:d7:ea:fc :7e:
39:02:25:85
Do you accept this certificate? [y/n] y
Client setup finished.
Start the registration now? [y/n] y
/usr/bin/suse_register -i -L /root/.suse_register.log
Refreshing service 'SMT-http_pcipfesmt_X_com'.
Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
Error code: Connection failed
Error message: couldn't connect to host

Abort, retry, ignore? [a/r/i/?] (a):
Unexpected exception.
[|] Error trying to read from 'http://pcipfesmt.X.com/?credentials=NCCcredentials'
History:
- Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
Error code: Connection failed
Error message: couldn't connect to host


Please file a bug report about this.
See http://en.opensuse.org/Zypper/Troubleshooting for instructions.
Refreshing service 'SMT-http_pcipfesmt_X_com'.
Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
Error code: Connection failed
Error message: couldn't connect to host

Abort, retry, ignore? [a/r/i/?] (a):
Unexpected exception.
[|] Error trying to read from 'http://pcipfesmt.X.com/?credentials=NCCcredentials'
History:
- Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials':
Error code: Connection failed
Error message: couldn't connect to host


Please file a bug report about this.
See http://en.opensuse.org/Zypper/Troubleshooting for instructions.
Registration finished successfully
+ set +x

It shows up on the smt server as unknown. When I run smt-agent on the client, the client shows up on the server as up-to-date.

Latest on smtclient.log


2013-09-10 09:00:38: (14) running job 14
2013-09-10 09:00:38: () jobid: 14
2013-09-10 09:00:38: (14) got jobid "14" with jobtype "patchstatus"
2013-09-10 09:00:38: () successfully loaded handler for jobtype "patchstatus"
2013-09-10 09:00:38: (14) jobhandler for patchstatus called
2013-09-10 09:00:38: (14) patchstatus runs jobid "14"
2013-09-10 09:00:41: (14) job 14 message: 0:0:0:0 # PackageManager=0 Security=0 Recommended=0 (Bugfix=0) Optional=0 (Enhancement=0 Feature=0 Document=0 Other=0)
2013-09-10 09:00:41: (14) job 14 exitcode: 0
2013-09-10 09:00:41: (14) job 14 statuscode: true
2013-09-10 09:00:41: (14) updating job 14 (1) message: 0:0:0:0 # PackageManager=0 Security=0 Recommended=0 (Bugfix=0) Optional=0 (Enhancement=0 Feature=0 Document=0 Other=0)
2013-09-10 09:00:41: () successfully updated job 14
2013-09-10 09:00:41: () job 14 finished successfully, see job message for details
2013-09-10 09:00:45: () no jobs left. exit.


And on the smt-server, in access_log:

source IP address - - [10/Sep/2013:09:00:30 - 0400] "GET /repo/tools/smt-client.x86_64.rpm HTTP/1.1" 200 27162
source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/@next HTTP/1.1" 200 154
source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/14 HTTP/1.1" 200 154
source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/14 HTTP/1.1" 200 2
source IP address - 7013e71184dc422bb536204d1e29fbda [10/Sep/2013:09:00:37 - 0400] "Get /=/1/jobs/@next HTTP/1.1" 200 7
source IP address - - [10/Sep/2013:09:05:00 - 0400] "GET /repo/tools/smt-client.x86_64.rpm HTTP/1.1" 401 1275

Nothing shows up in error_log

smt-register shows registration success for the above code.

Thanks for helping with this.

sysengPS
12-Sep-2013, 22:09
Has anyone seen this problem before?

jmozdzen
16-Sep-2013, 18:40
Hi sysengPS,


Download (curl) error for 'http://pcipfesmt.X.com//repo/repoindex.xml?credentials=NCCcredentials': Error code: Connection failed Error message: couldn't connect to host

if it's not the server, might you have a DNS or network problem? Have you tried accessing that URL from that machine manually, i.e. via wget, to see if the connection basically works and to have a controlled test case?

Regards,
Jens

sysengPS
31-Dec-2013, 14:04
Just saw this thread and wanted to (finally) update. It was a firewall rule blocking port 80 I think. Thanks for the help.

jmozdzen
31-Dec-2013, 15:20
Hi sysengPS,

cleaning up the old year, ey? ;)

Thank you for giving that final info - and a happy new year to you!

Regards,
Jens